PatchSiren cyber security CVE debrief
CVE-2026-42774 Crocoblock CVE debrief
A critical SQL injection vulnerability (CWE-89) in Crocoblock JetEngine, a WordPress plugin, allows unauthenticated attackers to execute arbitrary SQL commands. The vulnerability affects all versions from n/a through 3.8.8.1. With a CVSS 3.1 score of 9.3 (Critical), this represents a severe risk to WordPress sites using the affected plugin, particularly due to the network-attackable vector, low attack complexity, and no required privileges or user interaction. The scope is changed (S:C), indicating impact beyond the vulnerable component. The confidentiality impact is rated High, while availability impact is Low, and integrity impact is None per the CVSS vector. The CVE was published on May 25, 2026, and modified on May 26, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Crocoblock
- Product
- JetEngine
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using Crocoblock JetEngine plugin; security teams managing WordPress deployments; hosting providers with JetEngine customers; compliance officers responsible for data protection in WordPress environments
Technical summary
The JetEngine plugin for WordPress fails to properly sanitize user-supplied input before incorporating it into SQL queries. This improper neutralization of special elements (CWE-89) enables SQL injection attacks that can be executed without authentication. The attack complexity is low, requires no user interaction, and can affect resources beyond the vulnerable component scope. The high confidentiality impact suggests potential for sensitive data extraction from the WordPress database.
Defensive priority
critical
Recommended defensive actions
- Immediately update JetEngine to a version newer than 3.8.8.1 if available, or apply vendor-provided patches
- Review database access logs for suspicious SQL queries, particularly around JetEngine functionality
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting JetEngine endpoints
- Consider temporarily disabling JetEngine functionality if patching is not immediately feasible and the plugin is not business-critical
- Audit user accounts and database integrity for signs of unauthorized access or data exfiltration
- Subscribe to Crocoblock security advisories for updated patch information
Evidence notes
SQL injection confirmed via CWE-89 classification. Affected versions explicitly stated as through 3.8.8.1. CVSS vector confirms unauthenticated network exploitation with changed scope.
Official resources
-
CVE-2026-42774 CVE record
CVE.org
-
CVE-2026-42774 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The vulnerability was disclosed through Patchstack and subsequently indexed by NVD. The CVE record status is currently 'Deferred' in NVD, indicating the entry may be awaiting additional analysis or vendor coordination.